Anonymized credit card data – only locations and times of purchases made – are enough to identify a person, a new MIT study shows. Shopping habits are so unique, that knowledge of only four transactions help tell who the buyer is.

Three months of credit card transactions carried out by 1.1
million people in 10,000 shops in one country were studied by the
Massachusetts Institute of Technology team, which made the
results public in a January 30 issue of
Science journal.

The name of the country is not specified, it’s only designated as
an Organization for Economic Co-operation and Development (OECD)
country. The source of the data is only mentioned as a “major
bank.”

The scientists dealt with anonymized data, which did not contain
neither names nor account numbers. Only metadata was left
available – the time and place of a purchase.

To identify a particular person in the bulk of financial
metadata, one only needs “four pieces of outside information
about a user,” the study revealed. Those four pieces could
be a person’s four non-anonymous purchases. One’s social media
activity is one source of this type of information.

“For example, let’s say that we are searching for Scott in a
simply anonymized credit card data set,” the research says.
“We know two points about Scott: he went to the bakery on 23
September and to the restaurant on 24 September. Searching
through the data set reveals that there is one and only one
person in the entire data set who went to these two places on
these two days.”

Knowing the price of a purchase makes identification process
quicker and simpler.

"We are showing that the privacy we are told that we have
isn't real," study co-author Alex ‘Sandy’ Pentland of MIT
told AP.

Among the things the scientists came across in their research was
that women were easier to identify then men, and that the higher
income one had the more vulnerable he or she was to exposure. The
study authors chose not to focus on the reasons behind these
factors.

The research makes our expectations of privacy no more than an
"illusion," Eugene Spafford, director of Purdue
University's Center for Education and Research in Information
Assurance and Security.

Metadata has been placed into spotlight by former NSA contractor
Edward Snowden, who disclosed US’s NSA collected records of times
and locations of phone-calls and emails of millions of Americans.

"While government surveillance has been getting a lot of
press, and certainly the revelations warrant such scrutiny, a
large number of corporations have been quietly expanding their
use of data," privacy consultant and author Rebecca Herold
told AP.

Studies like this show "how metadata can be used to pinpoint
specific individuals,” she added, and offered to look into
other spheres in which basic information could potentially appear
too revealing, like insurance, loan and mortgage applications,
divorce proceedings.